Exclusive: Emails of top NRCC officials stolen in major 2018 hack

The House GOP campaign arm suffered a major hack during the 2018 midterm campaigns, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.

The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. An internal investigation was initiated, and the FBI was alerted to the attack, said the officials, who requested anonymity to discuss the incident.

Story Continued Below

However, senior House Republicans — including Speaker Paul Ryan of Wisconsin, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana — were not informed of the hack until Politico contacted the NRCC on Monday with questions about the episode. Rank-and-file House Republicans were not told, either.

Rep. Steve Stivers of Ohio, who served as NRCC chairman this past election cycle, did not respond to repeated requests for comment.

Committee officials said they decided to withhold the information because they were intent on conducting their own investigation and feared that revealing the hack would compromise efforts to find the culprit.

POLITICO Playbook newsletter

Sign up today to receive the #1-rated newsletter in politics

Email

By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

“We don’t want to get into details about what was taken because it’s an ongoing investigation,” said a senior party official. “Let’s say they had access to four active accounts. I think you can draw from that.”

The hack became a major source of consternation within the committee as the midterm campaign unfolded. The NRCC brought on the prominent Washington law firm Covington & Burling as well as Mercury Public Affairs to oversee the response to the hack. The NRCC paid the two firms hundreds of thousands of dollars to help respond to the intrusion. The committee’s chief legal counsel, Chris Winkelman, devoted many hours to dealing with the matter.

Party officials would not say when the hack began or who was behind it, although they privately believe it was a foreign agent because of the nature of the attack.

Donor information was not compromised during the intrusion, the party officials said.

“The NRCC can confirm that it was the victim of a cyber intrusion by an unknown entity. The cybersecurity of the Committee’s data is paramount, and upon learning of the intrusion, the NRCC immediately launched an internal investigation and notified the FBI, which is now investigating the matter,” said Ian Prior, a vice president at Mercury.

Prior, a former Justice Department official and NRCC operative, has been working with the committee to deal with the matter.

“To protect the integrity of that investigation, the NRCC will offer no further comment on the incident,” Prior added.

An FBI spokesperson declined to comment on its investigation into the incident.

None of the information accessed during the hack — thousands of emails from senior NRCC aides — has appeared in public, party officials said. And they said there were no attempts to threaten the NRCC or its leadership during the campaign with exposure of the information.

But the fact that the NRCC was hacked and withheld that information is likely to prove embarrassing at a time when Republicans are grappling with an election in which they lost 40 seats and control of the House. President Donald Trump has also claimed that Republicans are better than Democrats at cybersecurity, explaining why one party was hacked in 2016 but the other was not.

“The DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses, and they were able to be hacked,” Trump told CBS News in July. “I heard they were trying to hack the Republicans, too. But, and this may be wrong, but they had much stronger defenses.”

Rep. Tom Emmer of Minnesota will take over as NRCC chairman this cycle, a selection that was directly approved by McCarthy. Emmer is in the process of hiring his own senior aides for the committee, a normal procedure when a new chairman takes over a party committee. Emmer was first briefed on the hack on Monday evening.

Cybersecurity remains a pressing concern for politicians and political committees, heightened by the high-profile Russian hacking of the Democratic National Committee and Hillary Clinton campaign chief John Podesta during the 2016 election cycle. It’s not clear, however, what the NRCC could have done to avoid this intrusion.

The hack was first detected by an MSSP, a managed security services provider that monitors the NRCC’s network. The MSSP informed NRCC officials and they, in turn, alerted Crowdstrike, a well-known cybersecurity firm that had already been retained by the NRCC.

Like other major committees, the NRCC also had security procedures in place before the election cycle began to try to limit the amount of information that could be exposed to a potential hacker. It also employed a full-time cybersecurity employee.